This topic shows you how to configure alert rules to monitor the use of your Alibaba Cloud account after you use ActionTrail to deliver events to a specified Log Service Logstore.

Prerequisites

Log Service is activated.

If Log Service is not activated, log on to the Log Service console and activate the service as prompted.

Create a trail

  1. Log on to the ActionTrail console.
  2. In the left-side navigation pane, click Trails.
  3. In the top navigation bar, select the region where you want to create a single-account trail.
    Note The region that you select becomes the home region of the trail that you want to create.
  4. On the Trails page, click Create Trail.
  5. In the Trail Basic Settings step, set the parameters and click Next. The following table describes the parameters.
    Parameter Description
    Trail Name The name of the trail that you want to create. The name must be unique within your Alibaba Cloud account.
    Applied Regions The one or more regions from which the trail delivers events. For this example, select All Regions.
    Event Type The type of the events that the trail delivers. For this example, select All.
  6. In the Event Delivery Settings step, select Delivery to Log Service and then select Delivery to Current Account.
  7. Select New Log Service Project, select a region from the Logstore Region drop-down list, and then set the Project Name parameter.
  8. Click Next.
  9. In the Preview and Create step, confirm the trail information and click Submit.

Configure event analysis

  1. In the left-side navigation pane of the ActionTrail console, click Trails.
  2. Find the trail for which you want to configure an alert rule and click Log Analysis in the Log Service column.
    Note You can also log on to the Log Service console to configure an alert rule.
  3. Click the name of the Logstore that you want to manage. In the upper-right corner of the page that appears, click 15 Minutes(Relative) to specify a time range for the query.
  4. Enter event.userIdentity.type:"root-account"| select count(1) as use_root in the search box and click Search & Analyze.
  5. Click Save Search or Save as Alert.
    • Save the query: Click Save Search in the upper-right corner. Set the Saved Search Name parameter and click OK.
      Note After you save the query, you can select it in the Log Service console to initiate the query.

      For more information, see Saved search.

    • Configure an alert rule based on the query: Choose Save as Alert > Old VersionAlert in the upper-right corner. The Alert Monitoring Rule panel appears. Set the parameters and click OK.

      For more information, see Create an alert rule.

      Note After you configure the alert rule, you can receive an alert notification when the alert is triggered. For example, Log Service checks the use of your Alibaba Cloud account every 5 minutes based on the alert rule that is shown in the preceding figure. If your Alibaba Cloud account is used in the last 5 minutes, Log Service generates an alert.

Result

You can view and manage the saved query and alert rules in the Log Service console.

Alerts